2002-12-28 16:38:03 +01:00
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
|
<html>
|
|
|
|
|
<head>
|
|
|
|
|
<meta http-equiv="Content-Type"
|
|
|
|
|
content="text/html; charset=windows-1252">
|
2003-07-22 00:06:18 +02:00
|
|
|
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
2003-10-07 00:38:40 +02:00
|
|
|
<base target="_self">
|
2002-12-28 16:38:03 +01:00
|
|
|
</head>
|
2003-10-07 00:38:40 +02:00
|
|
|
<body>
|
2002-12-28 16:38:03 +01:00
|
|
|
<table border="0" cellpadding="0" cellspacing="4"
|
|
|
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
2003-07-22 00:06:18 +02:00
|
|
|
bgcolor="#3366ff">
|
2003-10-07 00:38:40 +02:00
|
|
|
<tbody>
|
|
|
|
|
<tr>
|
|
|
|
|
<td width="33%" height="90" valign="middle" align="center"><a
|
|
|
|
|
href="http://www.cityofshoreline.com"> </a><img src="images/Logo1.png"
|
|
|
|
|
alt="(Shorewall Logo)" width="430" height="90"> <br>
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
</tbody>
|
2002-12-28 16:38:03 +01:00
|
|
|
</table>
|
2003-10-07 00:38:40 +02:00
|
|
|
<div align="center">
|
|
|
|
|
<center>
|
2002-12-28 16:38:03 +01:00
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
|
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
2003-10-07 00:38:40 +02:00
|
|
|
<tbody>
|
|
|
|
|
<tr>
|
|
|
|
|
<td width="90%">
|
|
|
|
|
<h2>Introduction<br>
|
|
|
|
|
</h2>
|
|
|
|
|
<ul>
|
|
|
|
|
<li><a href="http://www.netfilter.org">Netfilter</a> - the
|
|
|
|
|
packet filter facility built into the 2.4 and later Linux kernels.</li>
|
|
|
|
|
<li>ipchains - the packet filter facility built into the 2.2
|
|
|
|
|
Linux kernels. Also the name of the utility program used to configure
|
|
|
|
|
and control that facility. Netfilter can be used in ipchains
|
|
|
|
|
compatibility mode.<br>
|
|
|
|
|
</li>
|
|
|
|
|
<li>iptables - the utility program used to configure and
|
2003-10-22 00:22:44 +02:00
|
|
|
control Netfilter. The term 'iptables' is often used to refer to the
|
|
|
|
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
|
|
|
|
compatibility mode).<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
</li>
|
|
|
|
|
</ul>
|
2003-10-22 00:22:44 +02:00
|
|
|
The Shoreline Firewall, more commonly known as "Shorewall", is
|
2003-10-07 00:38:40 +02:00
|
|
|
high-level tool for configuring Netfilter. You describe your
|
|
|
|
|
firewall/gateway requirements using entries in a set of configuration
|
|
|
|
|
files. Shorewall reads those configuration files and with the help of
|
|
|
|
|
the iptables utility, Shorewall configures Netfilter to match your
|
|
|
|
|
requirements. Shorewall can be used on a dedicated firewall system, a
|
|
|
|
|
multi-function gateway/router/server or on a standalone GNU/Linux
|
|
|
|
|
system. Shorewall does not use Netfilter's ipchains compatibility mode
|
|
|
|
|
and can thus take advantage of Netfilter's connection state tracking
|
|
|
|
|
capabilities.
|
|
|
|
|
<p>This program is free software; you can redistribute it and/or
|
|
|
|
|
modify it under the terms of <a
|
2003-10-22 00:22:44 +02:00
|
|
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
|
|
|
|
General Public License</a> as published by the Free Software Foundation.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
This program is distributed in the hope that it will be useful, but
|
|
|
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
2003-10-22 00:22:44 +02:00
|
|
|
General
|
|
|
|
|
Public License for more details.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
You should have received a copy of the GNU General Public License along
|
|
|
|
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
|
675 Mass Ave, Cambridge, MA 02139, USA</p>
|
|
|
|
|
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
|
|
|
|
|
Eastep</a></p>
|
2003-07-22 00:06:18 +02:00
|
|
|
<h2>This is the Shorewall 1.4 Web Site</h2>
|
2003-10-07 00:38:40 +02:00
|
|
|
The information on this site applies only to 1.4.x releases of
|
|
|
|
|
Shorewall. For older versions:<br>
|
2003-07-22 00:06:18 +02:00
|
|
|
<ul>
|
2003-10-07 00:38:40 +02:00
|
|
|
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
|
|
|
|
target="_top">here.</a></li>
|
|
|
|
|
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
|
|
|
|
target="_top">here</a>.<br>
|
|
|
|
|
</li>
|
2003-07-22 00:06:18 +02:00
|
|
|
</ul>
|
2003-05-18 20:38:34 +02:00
|
|
|
<h2>Getting Started with Shorewall</h2>
|
2003-10-22 00:22:44 +02:00
|
|
|
New to Shorewall? Start by selecting the <a
|
|
|
|
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
|
|
|
|
closely match your environment and follow the step by step instructions.<br>
|
2003-07-22 00:06:18 +02:00
|
|
|
<h2>Looking for Information?</h2>
|
2003-10-07 00:38:40 +02:00
|
|
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
|
|
|
|
Index</a> is a good place to start as is the Quick Search to your
|
|
|
|
|
right.
|
2003-07-22 00:06:18 +02:00
|
|
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
2003-10-07 00:38:40 +02:00
|
|
|
If so, the documentation<b> </b>on this site will not apply directly
|
2003-10-22 00:22:44 +02:00
|
|
|
to
|
|
|
|
|
your setup. If you want to use the documentation that you find here,
|
|
|
|
|
you will want to consider uninstalling what you have and installing a
|
|
|
|
|
setup that matches the documentation on this site. See the <a
|
|
|
|
|
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
2003-10-07 00:38:40 +02:00
|
|
|
details.
|
2003-07-22 00:06:18 +02:00
|
|
|
<h2></h2>
|
2003-04-13 17:28:32 +02:00
|
|
|
<h2><b>News</b></h2>
|
2003-10-22 00:22:44 +02:00
|
|
|
<p><b>10/21/2003 - Shorewall 1.4.7a</b><b> <img
|
|
|
|
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
|
|
|
|
src="images/new10.gif" alt="(New)" title=""></b></p>
|
|
|
|
|
<p>This is a bugfix rollup of the following problem corrections:<br>
|
|
|
|
|
</p>
|
|
|
|
|
<ol>
|
|
|
|
|
<li>Tuomo Soini has supplied a correction to a problem that
|
|
|
|
|
occurs
|
|
|
|
|
using some versions of 'ash'. The symptom is that "shorewall start"
|
|
|
|
|
fails with:<br>
|
|
|
|
|
<br>
|
|
|
|
|
local: --limit: bad variable name<br>
|
|
|
|
|
iptables v1.2.8: Couldn't load match
|
|
|
|
|
`-j':/lib/iptables/libipt_-j.so:<br>
|
|
|
|
|
cannot open shared object file: No such file or directory<br>
|
|
|
|
|
Try `iptables -h' or 'iptables --help' for more
|
|
|
|
|
information.<br>
|
|
|
|
|
<br>
|
|
|
|
|
</li>
|
|
|
|
|
<li>Andres Zhoglo has supplied a correction that avoids trying
|
|
|
|
|
to use the multiport match iptables facility on ICMP rules.<br>
|
|
|
|
|
<br>
|
|
|
|
|
Example of rule that previously caused "shorewall start"
|
|
|
|
|
to fail:<br>
|
|
|
|
|
<br>
|
|
|
|
|
|
|
|
|
|
ACCEPT loc $FW
|
|
|
|
|
icmp 0,8,11,12<br>
|
|
|
|
|
<br>
|
|
|
|
|
</li>
|
|
|
|
|
<li>Previously, if the following error message was issued,
|
|
|
|
|
Shorewall was left in an inconsistent state.<br>
|
|
|
|
|
<br>
|
|
|
|
|
Error: Unable to determine the routes routes through
|
|
|
|
|
interface xxx<br>
|
|
|
|
|
<br>
|
|
|
|
|
</li>
|
|
|
|
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
|
|
|
|
been corrected.</li>
|
|
|
|
|
<li>In Shorewall 1.4.2, an optimization was added. This
|
|
|
|
|
optimization
|
|
|
|
|
involved creating a chain named "<zone>_frwd" for most zones
|
|
|
|
|
defined using the /etc/shorewall/hosts file. It has since been
|
|
|
|
|
discovered that in many cases these new chains contain redundant rules
|
|
|
|
|
and that the "optimization" turns out to be less than optimal. The
|
|
|
|
|
implementation has now been corrected.</li>
|
|
|
|
|
<li>When the MARK value in a tcrules entry is followed by ":F"
|
|
|
|
|
or
|
|
|
|
|
":P", the ":F" or ":P" was previously only applied to the first
|
|
|
|
|
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
|
|
|
|
</ol>
|
2003-10-07 00:38:40 +02:00
|
|
|
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
|
|
|
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
|
|
|
|
src="images/new10.gif" alt="(New)" title=""></b><br>
|
|
|
|
|
<b><br>
|
2003-10-22 00:22:44 +02:00
|
|
|
Problems Corrected since version 1.4.6 (Those in bold font were
|
|
|
|
|
corrected since 1.4.7 RC2).</b><br>
|
2003-06-23 22:24:51 +02:00
|
|
|
<ol>
|
2003-10-07 00:38:40 +02:00
|
|
|
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
|
|
|
|
|
variable was being tested before it was set.</li>
|
|
|
|
|
<li>Corrected handling of MAC addresses in the SOURCE column of
|
|
|
|
|
the tcrules file. Previously, these addresses resulted in an invalid
|
|
|
|
|
iptables command.</li>
|
|
|
|
|
<li>The "shorewall stop" command is now disabled when
|
|
|
|
|
/etc/shorewall/startup_disabled exists. This prevents people from
|
|
|
|
|
shooting themselves in the foot prior to having configured Shorewall.</li>
|
|
|
|
|
<li>A change introduced in version 1.4.6 caused error messages
|
|
|
|
|
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
|
|
|
|
|
were being added to a PPP interface; the addresses were successfully
|
|
|
|
|
added in spite of the messages.<br>
|
|
|
|
|
<br>
|
|
|
|
|
The firewall script has been modified to eliminate the error messages</li>
|
2003-10-22 00:22:44 +02:00
|
|
|
<li>Interface-specific dynamic blacklisting chains are now
|
|
|
|
|
displayed by "shorewall monitor" on the "Dynamic Chains" page
|
2003-10-07 00:38:40 +02:00
|
|
|
(previously named "Dynamic Chain").</li>
|
|
|
|
|
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
2003-10-22 00:22:44 +02:00
|
|
|
<li value="7">The 'shorewall reject' and 'shorewall drop'
|
|
|
|
|
commands now delete any existing rules for the subject IP address
|
|
|
|
|
before adding a new DROP or REJECT rule. Previously, there could be
|
|
|
|
|
many rules for the same IP address in the dynamic chain so that
|
|
|
|
|
multiple 'allow' commands were required to re-enable traffic to/from
|
|
|
|
|
the address.</li>
|
|
|
|
|
<li>When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
|
|
|
|
|
entry in /etc/shorewall/masq resulted in a startup error:<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
eth0 eth1
|
|
|
|
|
206.124.146.20-206.124.146.24<br>
|
|
|
|
|
<br>
|
|
|
|
|
</li>
|
2003-10-22 00:22:44 +02:00
|
|
|
<li>Shorewall previously choked over IPV6 addresses configured
|
|
|
|
|
on interfaces in contexts where Shorewall needed to detect something
|
|
|
|
|
about the interface (such as when "detect" appears in the BROADCAST
|
|
|
|
|
column of the /etc/shorewall/interfaces file).</li>
|
|
|
|
|
<li>Shorewall will now load module files that are formed from
|
|
|
|
|
the module name by appending ".o.gz".</li>
|
|
|
|
|
<li>When Shorewall adds a route to a proxy ARP host and such a
|
|
|
|
|
route already exists, two routes resulted previously. This has been
|
|
|
|
|
corrected so that the existing route is replaced if it already exists.</li>
|
|
|
|
|
<li>The rfc1918 file has been updated to reflect recent
|
|
|
|
|
allocations.</li>
|
|
|
|
|
<li>The documentation of the USER SET column in the rules file
|
|
|
|
|
has been corrected.</li>
|
|
|
|
|
<li>If there is no policy defined for the zones specified in a
|
|
|
|
|
rule, the firewall script previously encountered a shell syntax error:<br>
|
|
|
|
|
<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
[: NONE: unexpected operator<br>
|
2003-10-22 00:22:44 +02:00
|
|
|
<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
Now, the absence of a policy generates an error message and the
|
|
|
|
|
firewall is stopped:<br>
|
2003-10-22 00:22:44 +02:00
|
|
|
<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
No policy defined from zone
|
|
|
|
|
<source> to zone <dest><br>
|
|
|
|
|
<br>
|
|
|
|
|
</li>
|
2003-10-22 00:22:44 +02:00
|
|
|
<li>Previously, if neither /etc/shorewall/common nor
|
|
|
|
|
/etc/shorewall/common.def existed, Shorewall would fail to start and
|
|
|
|
|
would not remove the lock file. Failure to remove the lock file
|
|
|
|
|
resulted in the following during subsequent attempts to start:<br>
|
|
|
|
|
<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
Loading /usr/share/shorewall/functions...<br>
|
|
|
|
|
Processing /etc/shorewall/params ...<br>
|
|
|
|
|
Processing /etc/shorewall/shorewall.conf...<br>
|
|
|
|
|
Giving up on lock file /var/lib/shorewall/lock<br>
|
|
|
|
|
Shorewall Not Started<br>
|
|
|
|
|
<br>
|
|
|
|
|
Shorewall now reports a fatal error if neither of these two files exist
|
|
|
|
|
and correctly removes the lock fille.</li>
|
2003-10-22 00:22:44 +02:00
|
|
|
<li>The order of processing the various options has been
|
|
|
|
|
changed such that blacklist entries now take precedence over the 'dhcp'
|
|
|
|
|
interface setting.</li>
|
|
|
|
|
<li>The log message generated from the 'logunclean' interface
|
|
|
|
|
option has been changed to reflect a disposition of LOG rather than
|
|
|
|
|
DROP.</li>
|
2003-10-07 00:38:40 +02:00
|
|
|
<li><span style="font-weight: bold;">When a user name and/or a
|
2003-10-22 00:22:44 +02:00
|
|
|
group name was specified in the USER SET column and the destination
|
|
|
|
|
zone
|
|
|
|
|
was qualified with a IP address, the user and/or group name was not
|
|
|
|
|
being used to qualify the rule.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
Example:<br>
|
|
|
|
|
<br>
|
|
|
|
|
ACCEPT fw net:192.0.2.12 tcp 23 - - - vladimir:<br>
|
|
|
|
|
<br>
|
|
|
|
|
</span></li>
|
|
|
|
|
<li><span style="font-weight: bold;">The /etc/shorewall/masq
|
|
|
|
|
file has had the spurious "/" character at the front removed.</span></li>
|
2003-06-23 22:24:51 +02:00
|
|
|
</ol>
|
2003-10-07 00:38:40 +02:00
|
|
|
<b>Migration Issues:</b><br>
|
2003-06-23 22:24:51 +02:00
|
|
|
<ol>
|
2003-10-07 00:38:40 +02:00
|
|
|
<li>Shorewall IP Traffic Accounting has changed since snapshot
|
|
|
|
|
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
|
|
|
|
|
details.</li>
|
|
|
|
|
<li>The Uset Set capability introduced in SnapShot 20030821 has
|
|
|
|
|
changed -- see the <a href="UserSets.html">User Set page</a> for
|
|
|
|
|
details.</li>
|
2003-10-22 00:22:44 +02:00
|
|
|
<li>The per-interface Dynamic Blacklisting facility introduced
|
|
|
|
|
in the first post-1.4.6 Snapshot has been removed. The facility had too
|
|
|
|
|
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
</li>
|
2003-06-23 22:24:51 +02:00
|
|
|
</ol>
|
2003-10-07 00:38:40 +02:00
|
|
|
<b></b><b>New Features:</b><br>
|
2003-05-21 01:21:38 +02:00
|
|
|
<ol>
|
2003-10-07 00:38:40 +02:00
|
|
|
<li>Shorewall now creates a dynamic blacklisting chain for each
|
|
|
|
|
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
|
|
|
|
|
commands use the routing table to determine which of these chains is to
|
|
|
|
|
be used for blacklisting the specified IP address(es).<br>
|
|
|
|
|
<br>
|
|
|
|
|
Two new commands ('dropall' and 'rejectall') have been introduced that
|
|
|
|
|
do what 'drop' and 'reject' used to do; namely, when an address is
|
|
|
|
|
blacklisted using these new commands, it will be blacklisted on all of
|
|
|
|
|
your firewall's interfaces.</li>
|
|
|
|
|
<li>Thanks to Steve Herber, the 'help' command can now give
|
|
|
|
|
command-specific help (e.g., shorewall help <command>).</li>
|
|
|
|
|
<li>A new option "ADMINISABSENTMINDED" has been added to
|
|
|
|
|
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
|
|
|
|
for existing users which causes Shorewall's 'stopped' state to
|
2003-10-22 00:22:44 +02:00
|
|
|
continue
|
|
|
|
|
as it has been; namely, in the stopped state only traffic to/from hosts
|
|
|
|
|
listed in /etc/shorewall/routestopped is accepted.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
|
|
|
|
addition to traffic to/from the hosts listed in
|
|
|
|
|
/etc/shorewall/routestopped, Shorewall will allow:<br>
|
|
|
|
|
<br>
|
|
|
|
|
a) All traffic originating from the firewall itself; and<br>
|
|
|
|
|
b) All traffic that is part of or related to an
|
2003-10-22 00:22:44 +02:00
|
|
|
already-existing
|
|
|
|
|
connection.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
|
|
|
|
entered through an ssh session will not kill the session.<br>
|
|
|
|
|
<br>
|
|
|
|
|
Note though that even with ADMINISABSENTMINDED=Yes, it is still
|
|
|
|
|
possible for people to shoot themselves in the foot.<br>
|
|
|
|
|
<br>
|
|
|
|
|
Example:<br>
|
|
|
|
|
<br>
|
|
|
|
|
/etc/shorewall/nat:<br>
|
|
|
|
|
<br>
|
|
|
|
|
206.124.146.178
|
|
|
|
|
eth0:0 192.168.1.5 <br>
|
|
|
|
|
<br>
|
|
|
|
|
/etc/shorewall/rules:<br>
|
|
|
|
|
<br>
|
|
|
|
|
ACCEPT net
|
|
|
|
|
loc:192.168.1.5 tcp 22<br>
|
|
|
|
|
ACCEPT loc
|
|
|
|
|
fw tcp 22<br>
|
|
|
|
|
<br>
|
|
|
|
|
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
|
|
|
|
connection with local system 192.168.1.5. I then create a second SSH
|
2003-10-22 00:22:44 +02:00
|
|
|
connection from that computer to the firewall and confidently type
|
|
|
|
|
"shorewall stop". As part of its stop processing, Shorewall removes
|
|
|
|
|
eth0:0 which kills my SSH connection to 192.168.1.5!!!</li>
|
2003-10-07 00:38:40 +02:00
|
|
|
<li>Given the wide range of VPN software, I can never hope to
|
|
|
|
|
add specific support for all of it. I have therefore decided to add
|
|
|
|
|
"generic" tunnel support.<br>
|
|
|
|
|
<br>
|
|
|
|
|
Generic tunnels work pretty much like any of the other tunnel types.
|
|
|
|
|
You usually add a zone to represent the systems at the other end of the
|
|
|
|
|
tunnel and you add the appropriate rules/policies to<br>
|
|
|
|
|
implement your security policy regarding traffic to/from those systems.<br>
|
|
|
|
|
<br>
|
|
|
|
|
In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
|
|
|
|
|
<br>
|
|
|
|
|
generic:<protocol>[:<port>] <zone> <ip
|
|
|
|
|
address> <gateway zones><br>
|
|
|
|
|
<br>
|
|
|
|
|
where:<br>
|
|
|
|
|
<br>
|
|
|
|
|
<protocol> is the protocol
|
|
|
|
|
used by the tunnel<br>
|
|
|
|
|
<port> if the protocol
|
2003-10-22 00:22:44 +02:00
|
|
|
is 'udp' or 'tcp' then this is the
|
|
|
|
|
destination port number used by the tunnel.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<zone> is the zone of
|
|
|
|
|
the remote tunnel gateway<br>
|
|
|
|
|
<ip address> is the IP
|
2003-10-22 00:22:44 +02:00
|
|
|
address of the remote tunnel
|
|
|
|
|
gateway.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<gateway zone>
|
2003-10-22 00:22:44 +02:00
|
|
|
Optional. A comma-separated list of zone
|
|
|
|
|
names. If specified, the remote gateway is to be considered part of
|
|
|
|
|
these zones.</li>
|
2003-10-07 00:38:40 +02:00
|
|
|
<li>An 'arp_filter' option has been added to the
|
|
|
|
|
/etc/shorewall/interfaces file. This option causes
|
|
|
|
|
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
|
|
|
|
result that this interface will only answer ARP 'who-has' requests from
|
|
|
|
|
hosts that are routed out through that interface. Setting this option
|
|
|
|
|
facilitates testing of your firewall where multiple firewall interfaces
|
|
|
|
|
are connected to the same HUB/Switch (all interfaces connected to the
|
|
|
|
|
single HUB/Switch should have this option specified). Note that using
|
|
|
|
|
such a configuration in a production environment is strongly
|
2003-10-22 00:22:44 +02:00
|
|
|
recommended
|
|
|
|
|
against.</li>
|
2003-10-07 00:38:40 +02:00
|
|
|
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
|
|
|
|
comma-separated list of addresses and/or address ranges. Netfilter will
|
|
|
|
|
use all listed addresses/ranges in round-robin fashion. \</li>
|
|
|
|
|
<li>An /etc/shorewall/accounting file has been added to allow
|
|
|
|
|
for traffic accounting. See the <a href="Accounting.html">accounting
|
|
|
|
|
documentation</a> for a description of this facility.</li>
|
|
|
|
|
<li>Bridge interfaces (br[0-9]) may now be used in
|
|
|
|
|
/etc/shorewall/maclist.</li>
|
|
|
|
|
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
|
|
|
|
|
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
|
|
|
|
|
rules, rate limiting occurs in the nat table DNAT rule; the
|
|
|
|
|
corresponding ACCEPT rule in the filter table is not rate limited. If
|
|
|
|
|
you want to limit the filter table rule, you will need o create two
|
|
|
|
|
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
|
|
|
|
|
separately.<br>
|
|
|
|
|
<br>
|
|
|
|
|
<span style="font-weight: bold;">Warning: </span>When rate
|
|
|
|
|
limiting is specified on a rule with "all" in the SOURCE or DEST
|
2003-10-22 00:22:44 +02:00
|
|
|
fields,
|
|
|
|
|
the limit will apply to each pair of zones individually rather than as
|
|
|
|
|
a single limit for all pairs of covered by the rule.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
To specify a rate limit, <br>
|
|
|
|
|
<br>
|
|
|
|
|
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
|
|
|
|
<br>
|
|
|
|
|
<
|
|
|
|
|
<rate>/<interval>[:<burst>] ><br>
|
|
|
|
|
<br>
|
2003-10-22 00:22:44 +02:00
|
|
|
where<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
<rate> is the sustained rate per
|
|
|
|
|
<interval><br>
|
|
|
|
|
<interval> is "sec" or "min"<br>
|
|
|
|
|
<burst> is the largest burst
|
2003-10-22 00:22:44 +02:00
|
|
|
accepted within an
|
|
|
|
|
<interval>. If not given, the default of 5 is assumed.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
There may be no white space between the ACTION and "<" nor there may
|
|
|
|
|
be any white space within the burst specification. If you want to
|
|
|
|
|
specify logging of a rate-limited rule, the ":" and log level comes
|
|
|
|
|
after the ">" (e.g., ACCEPT<2/sec:4>:info ).<br>
|
|
|
|
|
<br>
|
|
|
|
|
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
|
|
|
|
|
file. You may specify the rate limit there in the format:<br>
|
|
|
|
|
<br>
|
|
|
|
|
|
|
|
|
|
<rate>/<interval>[:<burst>]<br>
|
|
|
|
|
<br>
|
|
|
|
|
Let's take an example:<br>
|
|
|
|
|
<br>
|
|
|
|
|
|
|
|
|
|
ACCEPT<2/sec:4>
|
|
|
|
|
net dmz
|
|
|
|
|
tcp 80<br>
|
|
|
|
|
<br>
|
|
|
|
|
The first time this rule is reached, the packet will be accepted; in
|
|
|
|
|
fact, since the burst is 4, the first four packets will be accepted.
|
|
|
|
|
After this, it will be 500ms (1 second divided by the rate<br>
|
|
|
|
|
of 2) before a packet will be accepted from this rule, regardless of
|
|
|
|
|
how many packets reach it. Also, every 500ms which passes without
|
|
|
|
|
matching a packet, one of the bursts will be regained; if no packets
|
2003-10-22 00:22:44 +02:00
|
|
|
hit
|
|
|
|
|
the rule for 2 second, the burst will be fully recharged; back where we
|
|
|
|
|
started.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
</li>
|
|
|
|
|
<li>Multiple chains may now be displayed in one "shorewall
|
|
|
|
|
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
|
|
|
|
<li>Output rules (those with $FW as the SOURCE) may now be
|
|
|
|
|
limited to a set of local users and/or groups. See <a
|
|
|
|
|
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
|
|
|
|
|
details.</li>
|
2003-07-22 00:06:18 +02:00
|
|
|
</ol>
|
2003-04-13 17:28:32 +02:00
|
|
|
<p><b><a href="News.htm">More News</a></b></p>
|
2003-10-07 00:38:40 +02:00
|
|
|
<b> </b>
|
2003-04-13 17:28:32 +02:00
|
|
|
<h2><b> </b></h2>
|
2003-10-07 00:38:40 +02:00
|
|
|
<b> </b>
|
2003-05-18 20:38:34 +02:00
|
|
|
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
|
|
|
|
border="0" src="images/leaflogo.gif" width="49" height="36"
|
2003-10-07 00:38:40 +02:00
|
|
|
alt="(Leaf Logo)"> </a>Jacques Nilo and Eric Wolzak have a LEAF
|
|
|
|
|
(router/firewall/gateway on a floppy, CD or compact flash) distribution
|
|
|
|
|
called <i>Bering</i> that features Shorewall-1.4.2 and Kernel-2.4.20.
|
|
|
|
|
You can find their work at: <a
|
|
|
|
|
href="http://leaf.sourceforge.net/devel/jnilo">
|
|
|
|
|
http://leaf.sourceforge.net/devel/jnilo</a></p>
|
|
|
|
|
<b>Congratulations to Jacques and Eric on the recent release of
|
|
|
|
|
Bering 1.2!!! </b><br>
|
2003-04-13 17:28:32 +02:00
|
|
|
<h1 align="center"><b><a href="http://www.sf.net"><img
|
|
|
|
|
align="left" alt="SourceForge Logo"
|
2003-10-07 00:38:40 +02:00
|
|
|
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3"> </a></b></h1>
|
|
|
|
|
<b> </b>
|
|
|
|
|
<h4><b> </b></h4>
|
|
|
|
|
<b> </b>
|
2003-04-13 17:28:32 +02:00
|
|
|
<h2><b>This site is hosted by the generous folks at <a
|
2003-10-07 00:38:40 +02:00
|
|
|
href="http://www.sf.net">SourceForge.net</a> </b></h2>
|
|
|
|
|
<b> </b>
|
2003-04-13 17:28:32 +02:00
|
|
|
<h2><b><a name="Donations"></a>Donations</b></h2>
|
2003-10-07 00:38:40 +02:00
|
|
|
<b> </b></td>
|
|
|
|
|
<td width="88" bgcolor="#3366ff" valign="top" align="center">
|
2003-05-18 20:38:34 +02:00
|
|
|
<form method="post"
|
2003-10-07 00:38:40 +02:00
|
|
|
action="http://lists.shorewall.net/cgi-bin/htsearch">
|
2003-05-18 20:38:34 +02:00
|
|
|
<p><strong><br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<font color="#ffffff"><b>Note: </b></font></strong> <font
|
|
|
|
|
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
|
|
|
|
|
</p>
|
2003-05-18 20:38:34 +02:00
|
|
|
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<font face="Arial" size="-1"> <input type="text" name="words"
|
|
|
|
|
size="15"></font><font size="-1"> </font><font face="Arial" size="-1">
|
|
|
|
|
<input type="hidden" name="format" value="long"> <input
|
|
|
|
|
type="hidden" name="method" value="and"> <input type="hidden"
|
|
|
|
|
name="config" value="htdig"> <input type="submit" value="Search"></font>
|
|
|
|
|
</p>
|
|
|
|
|
<font face="Arial"> <input type="hidden" name="exclude"
|
|
|
|
|
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
|
|
|
|
<p><font color="#ffffff"><b> <a
|
|
|
|
|
href="http://lists.shorewall.net/htdig/search.html"> <font
|
2003-05-18 20:38:34 +02:00
|
|
|
color="#ffffff">Extended Search</font></a></b></font></p>
|
2003-10-07 00:38:40 +02:00
|
|
|
<a target="_top" href="1.3/index.html"><font color="#ffffff"> </font></a><a
|
2003-08-05 20:38:21 +02:00
|
|
|
target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
|
|
|
|
|
color="#ffffff"><small><small><small></small></small></small></font></a><br>
|
2003-10-07 00:38:40 +02:00
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
</tbody>
|
2002-12-28 16:38:03 +01:00
|
|
|
</table>
|
2003-10-07 00:38:40 +02:00
|
|
|
</center>
|
|
|
|
|
</div>
|
2002-12-28 16:38:03 +01:00
|
|
|
<table border="0" cellpadding="5" cellspacing="0"
|
|
|
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
2003-07-22 00:06:18 +02:00
|
|
|
bgcolor="#3366ff">
|
2003-10-07 00:38:40 +02:00
|
|
|
<tbody>
|
|
|
|
|
<tr>
|
|
|
|
|
<td width="100%" style="margin-top: 1px;">
|
|
|
|
|
<p align="center"><a href="http://www.starlight.org"> <img
|
2002-12-28 16:38:03 +01:00
|
|
|
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
2003-10-07 00:38:40 +02:00
|
|
|
hspace="10"> </a></p>
|
2003-06-23 22:24:51 +02:00
|
|
|
<p align="center"><font size="4" color="#ffffff"><br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<font size="+2">Shorewall is free but if you try it and find it
|
|
|
|
|
useful, please consider making a donation to <a
|
|
|
|
|
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
|
|
|
|
Children's Foundation.</font></a> Thanks!</font></font></p>
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
</tbody>
|
2003-01-14 21:32:45 +01:00
|
|
|
</table>
|
2003-10-22 00:22:44 +02:00
|
|
|
<p><font size="2">Updated 10/21/2003 - <a href="support.htm">Tom Eastep</a></font>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
|
|
|
|
</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
</body>
|
|
|
|
|
</html>
|
